Bug 1932079 (CVE-2021-3445)

Summary: CVE-2021-3445 libdnf: Signature verification bypass via signature placed in the main RPM header
Product: [Other] Security Response Reporter: Todd Cullum <tcullum>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amatej, jmracek, jrohel, kaycoth, mblaha, nsella, packaging-team-maint, pkratoch, pmatilai, rpm-software-management, security-response-team, tcullum, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libdnf 0.60.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libdnf's signature verification functionality. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 23:09:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1932089, 1932090, 1940116    
Bug Blocks: 1912449, 1939506    

Description Todd Cullum 2021-02-23 20:53:18 UTC 
libdnf does its own signature verification, but this can be
tricked by placing a signature in the main header. This is exploitable if
(and only if) RPM's package verification level is set to "digest" or "none".
Comment 1 Todd Cullum 2021-02-23 20:53:20 UTC 
Acknowledgments:

Name: Demi M. Obenour
Comment 10 Todd Cullum 2021-03-04 19:52:59 UTC 
Mitigation:

A mitigation for this flaw is to set %_pkgverify_level all` or `%_pkgverify_level signature` in `/etc/rpm/macros`.
Comment 15 RaTasha Tillery-Smith 2021-03-16 17:18:36 UTC 
Statement:

The exploitation of this flaw requires RPM's package verification level to be set to "digest" or "none". In addition, to exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM.  It is strongly recommended to only use RPMs from trusted repositories.
Comment 16 Todd Cullum 2021-03-17 15:53:56 UTC 
Created libdnf tracking bugs for this issue:

Affects: fedora-all [bug 1940116]
Comment 19 errata-xmlrpc 2021-11-09 18:53:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4464 https://access.redhat.com/errata/RHSA-2021:4464
Comment 20 Red Hat Bugzilla 2023-09-15 01:01:59 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days